(RADIATOR) RadSec and IPv6?
Mike McCauley
mikem at open.com.au
Fri Jul 7 18:59:11 CDT 2006
Hello Patrick,
Looks like you have sanitized the log file and config file (understandably),
but it makes it hard for me to be sure what is going on. Perhaps you will
send to me privately unsanitized (except for passwords) logs and config file
for both the successful IPV4 and unsuccessful IPV6 cases.
You should note that if the IPV4 case works OK, then it is possible the
certificate is for the IPV4 DNS host name, which may not work in the IPV6
case (ie if the IPV4 and IPV6 DNS Host names are different then you will need
either different certificates or use a subject alt name in the certificate.)
Cheers.
On Friday 07 July 2006 19:52, Patrick Renkens wrote:
> Hi all,
>
> We have succesfully set up RadSec over IPv4 with Radiator 3.15, see
> configuration details at the end of this mail.
> At this stage we use RadSec to transport accounting records in a save
> way. It runs smoothly.
>
> However we would like to setup RadSec over IPv6.
> When we use the correct IPv6 addresses with the 'Host' statement, we get
> errors like below.
>
> Is this a problem concerning the RadSec implementation of a certificate
> problem?
>
> Any other relevant information:
> - We use the same certificates for IPv4 and IPv6.
> - Both systems run Solaris 5.9 and Radiator 3.15.
> - DNS for IPv4 and IPv6 is correctly configured, including reverse.
> - There is no firewall problem, TCP port 2083 is open either way.
>
>
> DEBUG: Stream attempting tcp connection to ipv6:...:2083
> DEBUG: Stream connection in progress to ipv6:...:2083
> DEBUG: Stream connected to ipv6:...:2083
> DEBUG: StreamTLS sessionInit for ipv6:...
> DEBUG: StreamTLS SSL_connect result: -1, 2, 4384
> DEBUG: StreamTLS Client Started for ipv6:...:2083
> DEBUG: Verifying certificate with Subject '/C=NL/O=.../OU=.../CN=...'
> presented by peer ipv6:...
> ERR: Verification of certificate presented by ipv6:... failed
> DEBUG: StreamTLS SSL_connect result: -1, 1, 4401
> ERR: StreamTLS client error: -1, 1, 4401, 24610: 1 - error:14090086:SSL
> routines:SSL3_GET_
> SERVER_CERTIFICATE:certificate verify failed
>
>
>
> <AuthBy RADSEC>
> Identifier ACCOUNTING
> Host ipv4 hostname and domain
> Port 2083
> Protocol tcp
> Secret ...
> UseTLS 1
> TLS_CAFile %D/cert/ca.crt
> TLS_CertificateFile %D/cert/'host.domain'.crt
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/cert/'host.domain'.key
> IgnoreAuthentication
> IgnoreAccountingResponse
> </AuthBy>
>
>
>
> BindAddress 0.0.0.0,ipv6:...
> <ServerRADSEC>
> Port 2083
> Protocol tcp
> UseTLS
> TLS_CAFile %D/cert/ca.crt
> TLS_CertificateFile %D/cert/'host.domain'.crt
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/cert/'host.domain'.key
> TLS_RequireClientCert
> TLS_SessionResumption 0
> Secret ...
> Identifier RADSEC
> </ServerRADSEC>
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list